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REMARKS 

I* Introductory Comments 

Applicants thank the Examiner for accepting the drawings filed on January 02, 2002. 
Claims 1-31 are currently pending. Claims 1, 9, 17, and 24 are independent claims. In the 
Office Action, claims 1, 4, 9, 12, 17-19, 24, and 27 were rejected under 35 U,S,C § 103(a) as 
allegedly unpatentable over Applicants 5 Background of the Invention, U.S. Patent Application 
Publication No. 20020138416 ("Applicants' Background"), in combination with the Official 
Notice taken by the Examiner. Claims 2, 3, 5-8, 10, 1 1, 13-16, 20-23, 25, 26, and 28-31 were 
rejected under 35 U.S.C. § 103(a) as allegedly unpatentable over Applicants' Background in 
combination with U.S. Patent Application Publication No, 20020091699 ("Norton")* 

Claims 6, 7, 14, 1 5, 21, 22, 29, and 30 have been amended to fix a typographical error. 
No substantive amendments have been made in the present paper. For at least the reasons set 
forth below, all pending claims are believed to be in condition for allowance. All claim 
rejections are believed to be addressed herein. Therefore, this response is believed to be a 
complete response to the Office Action. However, Applicants reserve the right to set forth 
further arguments supporting the patentability of their claims in future papers, including the 
separate patentability of the dependent claims not explicitly addressed herein. 

II. Official Notice 

In the Office Action, the Examiner took Official Notice. Applicants expressly do not 
acquiesce to the taking of Official Notice, Therefore, Applicants respectfully request that the 
Examiner provide an affidavit in the next Office Action to support the Official Notice taken, as 
required by 37 CFR 1.104(d)(2) and MPEP § 2144.03. 

III. Argument 

A* Claim Rejections - 35 U.S.C. §103(a) 

The basic requirements for the Patent and Trademark Office to establish prima facie 

obviousness are as follows: 

To establish a prima facie case of obviousness, three criteria must be met. First, 
there must be some suggestion or motivation, either in the references themselves 
or in the knowledge generally available to one of ordinary skill in the art, to 
modify the reference or to combine reference teachings. Second, there must be a 
reasonable expectation of success. Finally, the prior art reference (or references 
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when combined) must teach or suggest all the claim limitations , 
(MPEP § 2143, emphasis added.) 

Independent Claims 1, 9, 11, and 24 Are Patentable Over Applicants' 
Background And The Examiner's Official Notice 

The Examiner asserted that independent claims 1, 9, 17, and 24 are obvious and therefore 

unpatentable over Applicants' Background, combined with the Official Notice taken by the 

Examiner. However, Applicants' Background is merely background information, and does not 

teach or suggest numerous recitations found in Applicants' claims, as discussed, in detail below, 

L "inventorying a plurality of assets of the organization, wherein 
each asset is defined to be one of an electronic asset type and a 
location asset type * * . and the location asset type includes physical 
locations where the electronic asset types are placed" 

Independent claims 1, 9, 17, and 24 each recite in part "inventorying a plurality of assets 
of the organization, wherein each asset is defined to be one of an electronic asset type and a 
location asset type . . . and the location asset type includes physical locations where the 
electronic asset types are placed," The Examiner alleged that the "Inventory and definition" 
section of Applicants' Background teaches this recitation. (Office Action, page 2,) However, 
Applicants' Background says nothing at all about "a location asset type [that] includes physical 
locations where the electronic asset types are placed." Therefore, Applicants' Background fails 
to teach or suggest at least this recitation of independent claims 1,9, 17, and 24. 

At most, Applicants' Background suggests that an "organization determines its assets 
(e.g., electronic devices, electronically stored data, etc.) that are involved in support of critical 
processes." (Applicants' Background: page 4, lines 1 1-13,) Applicants' Background states that 
there are "a number of conventional automated tools [that] can assist the organization in 
accomplishing this phase of the process." (Applicants' Background: page 4, lines 17-18.) 
However, Applicants' Background says nothing at all about a location asset type that includes 
the physical location of an electronic asset. Also, Applicants' Background doesn't teach or 
suggest that each asset is defined to be one of an electronic asset type and a location asset type. 

Because Applicants' Background fails to teach or suggest "inventorying a plurality of 
assets of the organization, wherein each asset is defined to be one of an electronic asset type and 
a location asset type . . . and the location asset type includes physical locations where the 
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electronic asset types are placed," the rejections of claims 1, 9, 17, and 24, and the claims that 

depend therefrom, should be withdrawn. 

2, "identifying at least one criterion defining a security objective of 
the organization" 

Independent claims 1,9, 17, and 24 further recite in part ''identifying at least one criterion 
defining a security objective of the organization." The Examiner alleged that the "Vulnerability 
and threat evaluation" section of Applicants' Background teaches this recitation. (Office Action, 
page 3.) However, Applicants' Background not only fails to teach or suggest at least this 
recitation of claims 1, 9, 17, and 24, but Applicants' Background also teaches away from 
identifying at least one criterion defining a security objective of the organization. 

At most, Applicants' Background teaches that there are many criteria and sets of criteria 
available to use for vulnerability and threat evaluation, For example, auditors can use any of the 
following sets of criteria: Common Criteria from Decisive Analytics; Orange Book from the 
U.S* Department of Defense; COBIT from the Information Systems Audit and Control 
Foundation; and SAS 70 from the U.S, Security and Exchange Commission, (Applicants 5 
Background: page 4, lines 17-23.) Each set of criteria contains many criteria available for use. 

However, Applicants' Background says nothing at all about identifying a criterion 
defining a security objective of the organization, but merely that there are many criteria, and sets 
of criteria available to use for vulnerability and threat evaluation. Further, Applicants' 
Background states that "[vulnerability and threat assessment is typically performed by an 
internal audit department or third party auditor using a set of assessment criteria." (Applicants* 
Background: page 5, lines 4-6.) So, Applicants* Background teaches using a pre-defined set of 
criteria, as opposed to identifying at least one criterion defining a security objective of the 
organization. Therefore, Applicants' Background actually teaches away from "identifying at 
least one criterion defining a security objective of the organization." 

Because Applicants' Background not only fails to teach or suggest "identifying at least 
one criterion defining a security objective of the organization," but also teaches away from this 
recitation, the rejections of claims 1, 9, 17, and 24, and the claims that depend therefrom, should 
be withdrawn. 



11 



Application No, 10/032,610 Docket No.: 20070461 

Reply to Office Action of April 6, 2007 

3* "identifying one or more inventoried assets that relate to the 
identified criterion 9 ' 

Independent claims 1,9, 17, and 24 further recite in part "identifying one or more 
inventoried assets that relate to the identified criterion," The Examiner alleged that the 
"Inventory and definition" section of Applicants' Background teaches this recitation. (Office 
Action, page 4.) However, Applicants' Background says nothing at all about "identifying one or 
more inventoried assets that relate to the identified criterion." Therefore, Applicants' 
Background also fails to teach or suggest at least this recitation of claims 1, 9, 17, and 24. 
Further, Applicants' Background actually teaches away from identifying one or more inventoried 
assets that relate to the identified criterion. 

Applicants' Background says nothing at all about "identifying one or more inventoried 
assets that relate to the identified criterion," The Examiner relied on the statement that "[o]nce 
assets have been identified, a value is assigned to each asset" (Applicants' Background: page 4, 
lines 13-14.) At most, Applicants' Background suggests assigning a value to a previously 
identified asset, As stated in Applicants' Background, "[t]his value is not only monetary, but 
also may be tied to loss of reputation or loss of trust," (Applicants' Background: page 4, lines 
14-15.) This section says nothing at all about identifying an asset that relates to the identified 
criterion. At most, Applicants' Background suggests that a value can be assigned to previously 
identified assets. 

Further, Applicants' Background teaches away from "identifying one or more inventoried 
assets that relate to the identified criterion " Applicants' Background states that "the 
organization determines its assets . , . [then] a value is assigned to each asset," (Applicants' 
Background: page 4, lines 1 1-14,) To examine the organization for weaknesses that could be 
exploited by an unauthorized outsider, a vulnerability and thread assessment is performed by an 
auditor, The auditor uses a set of assessment criteria to evaluate if vulnerabilities exist. 
(Applicants' Background: page 5, lines 1-9,) Applicants' Background teaches to perform an 
inventory of assets, and then evaluate those assets using a set of criteria. Such a teaching is 
contrary to "identifying one or more inventoried assets that relate to the identified criterion,'" 
Therefore, if Applicants' Background is at all relevant, it actually teaches away from 
"identifying one or more inventoried assets that relate to the identified criterion," 
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Because Applicants' Background not only fails to teach or suggest "identifying one or 
more inventoried assets that relate to the identified criterion," but also teaches away from this 
recitation, the rejections of claims 1, 9, 17, and 24, and the claims that depend therefrom, should 
be withdrawn. 

4, "assessing the risk to the organization based on the measured 
values of the one or more metric equations" 

Independent claims 1,9, 17, and 24 further recite in part "assessing the risk to the 
organization based on the measured values of the one or more metric equations." The Examiner 
alleged that Applicants' Background teaches this recitation, and relied on the statement that 
"[o]nce risk has been assessed and identified, the organization can choose to accept the risk, 
mitigate the risk, or transfer the risk/' (Office Action, page 4.) However, Applicants' 
Background also fails to teach or suggest at least this recitation of claims 1, 9, 17, and 24, 

At most, Applicants 5 Background suggests that once a risk has been assessed, an 
organization can make a decision as to whether to accept, mitigate, or transfer the risk. 
Applicants' Background says nothing at all about "assessing the risk to the organization based on 
the measured values of one or more metric equations." In fact, Applicants' Background does not 
in any way suggest use of metric equations at all, much less "measured values of the one or more 
metric equations." 

Because Applicants' Background fails to teach or suggest "assessing the risk to the 

organization based on the measured values of the one or more metric equations," the rejections 

of claims 1,9, 17, and 24, and the claims that depend therefrom, should be withdrawn. 

5* "formulating one or more metric equations for each identified 
criterion" 

Independent claims 1, 9, 17, and 24 further recite in part "formulating one or more metric 
equations for each identified criterion " The Examiner stated that Applicants' Background fails 
to teach or suggest this recitation of claims 1, 9, 17, and 24. (Office Action, page 3.) The 
Examiner then took Official Notice that "it is old and well-known in the business and scientific 
world to set up metric equations for measured variables, wherein this statement of equality 
between two expressions consisting of variable and/or numbers is used to answer business 
organizational questions in a systematic way." (Office Action, page 3.) 
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However, Applicants expressly do not acquiesce to the taking of Official Notice. 
Therefore, Applicants respectfully request that the Examiner provide an affidavit in the next 
Office Action to support the Official Notice taken, as required by 37 CFR 1 . 1 04(d)(2) and MPEP 
§ 2144.03, Because Applicants' Background fails to teach or suggest "formulating one or more 
metric equations for each identified criterion/' and the Examiner's Official Notice is improper, 
the rejections of claims 1, 9, 17, and 24, and the claims that depend therefrom, should be 
withdrawn, 

C* Dependent Claims 4, 12, 19, and 27 Are Patentable Over Applicants' 
Background And The Examiner's Official Notice 

1. "wherein the plurality of assets are defined to be one of a user 
type, a user population type, a data type and a network type in 
addition to the electronic type and the location type, wherein the 
user type relates to an individual user and the user population 
type relates to a group of users" 

Dependent claims 4, 12, 19, and 27 further recite in part "wherein the plurality of assets 

are defined to be one of a user type, a user population type, a data type and a network type in 

addition to the electronic type and the location type, wherein the user type relates to an 

individual user and the user population type relates to a group of users," The Examiner alleged 

that the "Inventory and definition" section of Applicants' Background teaches this recitation, 

(Office Action, page 4.) However, Applicants' Background says nothing at all about "the 

plurality of assets are defined to be one of a user type, a user population type, a data type and a 

network type in addition to the electronic type and the location type, wherein the user type . 

relates to an individual user and the user population type relates to a group of users." Therefore, 

Applicants' Background fails to teach or suggest at least this recitation of dependent claims 4, 

12, 19, and 27. 

At most, Applicants' Background suggests that an "organization determines its assets 
(e.g., electronic devices, electronically stored data, etc.) that are involved in support of critical 
processes." (Applicants' Background: page 4, lines 11-13.). Applicants' Background says 
nothing at all about "the plurality of assets are defined to be one of a user type, a user population 
type, a data type and a network type in addition to the electronic type and the location type, 
wherein the user type relates to an individual user and the user population type relates to a group 
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of users." In fact, Applicants' Background makes no mention of "a user type, a user population 

type, a data type, [or] a network type." 

Because Applicants' Background fails to teach or suggest "wherein the plurality of assets 

are defined to be one of a user type, a user population type, a data type and a network type in 

addition to the electronic type and the location type, wherein the user type relates to an 

individual user and the user population type relates to a group of users " the rejections of claims 

4, 12, 19, and 27, and the claims that depend therefrom, should be withdrawn. 

D. The Examiner's Failure To Make A Prima Facie Obviousness Rejection Of 
Dependent Claims 2, 3, 5-8, 10, 11, 13-16, 20-23, 25, 26, and 28-31 

1, "formulating one or more metric equations for each identified 
criterion" 

Claims 2, 3, 5-8, 10, 1 1, 13-16, 20-23, 25, 26, and 28-31 are all dependent claims, and 
each claim depends from an independent claim that recites in part "formulating one or more 
metric equations for each identified criterion." Because these claims are dependent, they each 
necessarily incorporate all of the recitations of the independent claim from which they depend. 
As such, claims 2, 3, 5-8, 10, 1 1, 13-16, 20-23, 25, 26, and 28-31 each necessarily incorporates 
"formulating one or more metric equations for each identified criterion." 

The Examiner alleged that these dependent claims were unpatentable over Applicants' 
Background in combination Norton. (Office Action, page 4.) However, the Examiner failed to 
make a prima facie obviousness rejection by failing to account for this recitation found in the 
independent claims. The Examiner conceded that Applicants' Background fails to teach or. 
suggest this recitation of claims 1, 9, 17, and 24. (Office Action, page 3.) Norton also fails to 
teach or suggest this recitation of claims 1,9, 17, and 24. 

Therefore, the Examiner has failed to establish a prima facie case of obviousness against 
claims 2, 3, 5-8, 10, 1 1, 13-16, 20-23, 25, 26, and 28-3 1 . Although the Examiner failed to 
establish a prima facie obviousness rejection, Applicants nonetheless traversed these rejections in 
order to further prosecution, 



15 



Application No. 10/032,610 Docket No.: 20070461 

Reply to Office Action of April 6, 2007 

E. Dependent Claims 5, 13, 20, and 28 Are Patentable Over Applicants' 
Background In Combination With Norton 

1. "establishing at least one relationship between the plurality of 
assets" 

Dependent claims 5, 13, 20, and 28 further recite in part "establishing at least one 
relationship between the plurality of assets." The Examiner stated that Applicants 5 Background 
does not explicitly disclose this recitation, and cited Norton to compensate for the acknowledged 
deficiency of Applicants' Background. (Office Action, page 5.) However, Norton says nothing 
at all about "establishing at least one relationship between the plurality of assets." Therefore, 
Norton fails to teach or suggest at least this recitation of dependent claims 5, 13, 20, and 28. 

The Examiner alleged that Norton teaches this recitation on page 4, f f 85-90. (Office 
Action, page 5.) At most, Norton discloses a variety of "asset search options" that "enables a 
user not only to search for an asset, but also to view a range of detailed information about the 
selected asset." (Norton: page 4, f[ 85-87.) Norton further discloses that "The Asset tab 70 
displays detailed asset information for the asset selected," and that such information may include 
the asset's serial number, tracking number, purchase order, manufacturer, model number, etc. 
(Norton: pages 4-5, fl[ 88-93.) 

Norton not only fails to disclose "establishing at least one relationship between the 
plurality of assets," but actually makes no mention of this recitation at all Because Norton fails 
to teach or suggest "establishing at least one relationship between the plurality of assets " the 
rejections of claims 5, 1 3, 20, and 28, and the claims that depend therefrom, should be 
withdrawn. 

F - Dependent Claims 6, 14, 2h And 29 Are Patentable Over Applicants* 

Background In Combination With The Examiner's Official Notice And Norton 

h "linking a first asset defined to be in one asset type with a second 
asset defined to be in another asset type" 

Dependent claims 6, 14, 21, and 29, as amended, further recite in part "linking a first 

asset defined to be in one asset type with a second asset defined to be in another asset type." The 

Examiner stated that Applicants' Background does not explicitly disclose this recitation, and 

cited Norton to compensate for the acknowledged deficiency of Applicants' Background. 

(Office Action, page 5.) However, Norton says nothing at all about "linking a first asset defined 
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to be in one asset type with a second asset defined to be in another asset type." Therefore, 
Norton fails to teach or suggest at least this recitation of dependent claims 6, 14, 21 , and 29, 
Again, the Examiner alleged that Norton teaches this recitation on page 4, ffif 85-90. 
(Office Action, page 5.) At most, Norton discloses a variety of "asset search options'* that allow 
a user to search for an asset, and view detailed information about a selected asset. (Norton: page 
4, fl 85-870 

Norton fails to disclose "linking a first asset defined to be in one asset type with a second 

asset defined to be in another asset type/' and actually makes no mention of this recitation at all. 

Because Norton fails to teach or suggest "linking a first asset defined to be in one asset type with 

a second asset defined to be in another asset type," the rejections of claims 6, 14, 2 1, and 29, and 

the claims that depend therefrom, should be withdrawn. 

G - Dependent Claims 7, 15, 22, And 30 Are Patentable Over Applicants 9 

Background In Combination With The Examiner's Official Notice And Norton 

1. "linking a first asset defined to be in one asset type with a second 
asset defined to be in the same asset type" 

Dependent claims 7, 14, 22, and 30, as amended, further recite in part "linking a first 
asset defined to be in one asset type with a second asset defined to be in the same asset type." 
The Examiner stated that Applicants' Background does not explicitly disclose this recitation, and 
cited Norton to compensate for the acknowledged deficiency of Applicants' Background. 
(Office Action, page 5.) However, Norton says nothing at all about "linking a first asset defined 
to be in one asset type with a second asset defined to be in the same asset type." Therefore, 
Norton fails to teach or suggest at least this recitation of dependent claims 6, 14, 21, and 29. 

Again, the Examiner alleged that Norton teaches this recitation on page 4, ff 85-90. 
(Office Action, page 5.) At most, Norton discloses a variety of "asset search options" that allow 
a user to search for an asset, and view detailed information about a selected asset. (Norton: page 
4, ff 85-87.) 

Norton fails to disclose "linking a first asset defined to be in one asset type with a second 
asset defined to be in the same asset type " and actually makes no mention of this recitation at 
all Because Norton fails to teach or suggest "linking a first asset defined to be in one asset type 
with a second asset defined to be in the same asset type," the rejections of claims 7, 15, 22, and 
30, and the claims that depend therefrom, should be withdrawn. 
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CONCLUSION 

In view of the above, all claims are believed to be in condition for allowance. 
Accordingly, reconsideration and allowance are respectfully requested and the Examiner is 
respectfully requested to pass this application to issue. It is believed that any fees associated 
with the filing of this paper are identified in an accompanying transmittal. However, if any 
additional fees are required, they may be charged to Deposit Account 18-0013, under order 
number 65632-0525. To the extent necessary, a petition for extension of time under 37 CJF.R. 
1.136(a) is hereby made, the fee for which should be charged against the aforementioned 
account. 
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